We've simplified; HTTPS_PROXY or https_proxy is used for all requests.
We also require that only our self-signed certificates are used for
secure traffic. That rules out all SSL-terminating MITM proxies, since
we don't trust their root certificate.
Once we're sure that this system works for people, we'll improve config
on MacOS and Windows.